Enterprise Patch Management and Enterprise Configuration Management – Two Big Network Security Threats
I visit lots of customer sites each year and see many security-related commonalities amongst them. At the top of this list, from a network security perspective is the lack of attention paid to enterprise patch management and enterprise configuration management.
For better or for worse, Microsoft has taught the industry to patch once a month. But, most of Microsoft’s patches released on this monthly cycle deal only with the various Microsoft Operating Systems and fail to address vulnerabilities in primary or secondary applications or services such as Exchange, SharePoint, IIS, etc. Due to this type of release cycle, and a lack of self education on the part of the administration staff, many organizations are failing to effectively patch the technologies and applications that lie on top of their Operating Systems, such as Oracle databases and desktop applications like Adobe Acrobat. Without a comprehensive patch management program, organizations continue to have significant gaps in their security based on missing patches.
Honestly, enterprise patch management doesn’t have to be a problem. Just recently, Microsoft released their new patch management solution, which provided better flexibility to manage patches at the desktop and secondary application level. Additionally, there have been solutions available on the market that enable organizations to effectively maintain operating system patches for not only Windows but other operating systems such as Linux and Unix, as well as primary and secondary functioning applications like SQL servers, MS Office and the various Adobe products. Some even go as far as providing better support for pushing antivirus updates. Many of these solutions also provide the capabilities companies need to maintain consistent hardware configuration settings.
Just as enterprise patch management is a fixable issue, so is network enterprise configuration management. From a hardening procedure standpoint, organizations spend a lot of time creating their standard system build image and forget to come back and update that image on a regular basis. A solution that was effective six to 12 months ago will not be effective today, and it will leave a network vulnerable. Standards change and the Internet is not static. Therefore, it’s important for companies to pay attention to ongoing maintenance of standards and policies and make ongoing changes as appropriate.
As you can see, when it comes to network security the people and processes are just as important as the technology - maybe even more so. I strongly believe that the biggest potential mistake administrators and/or companies can make is not educating their users.
The majority of recent attacks faced by Twitter and Google are directly targeting the employees and users of corporate networks. Companies that haven’t taught their users the basics of what to avoid can pretty much assume they’re going to get infected by the next big infestation/attack, especially when you couple that with legacy technologies like Internet Explorer 6 as the standard browser they are required to use. Providing ongoing user awareness training and seminars that include real world examples and scenarios is the best way to educate users on their requirements to help keep the environment as secure as possible.
Companies also need to focus more on using the right resources for the right initiatives. A common mistake that I’ve seen over the past two years happens when an organization buys a Web Application Firewall(WAF) and leverages network operations personnel to implement and maintain the system. Unfortunately they will find out the hard way that they are using the wrong resources. A WAF requires detailed knowledge of the Web environment and application infrastructure, which many network operational professionals do not have. Based on a strong understanding of Web applications, an application level professional or developer would be a better choice for ongoing maintenance of this type of technology - at least from a policy and technology enforcement perspective.
I’d love to hear about the changes your company has made to harden network security. Let me know!